Quality

Overview Hello Everyone 👋, We have released sbomqs:2.0 last week. This post is about major changes b/w sbomqs:1.x.x and sbomqs:2.0.x. Let’s understand, what exactly changed in sbomqs 2.0, and how it is different from the older 1.x scoring model? If you’ve been using sbomqs for a while, you know that 1.x scoring bundled everything together in a summarized way: $ sbomqs score samples/photon.spdx.json --legacy SBOM Quality by Interlynk Score:6.0 components:38 samples/photon.spdx.json +-----------------------+--------------------------------+-----------+--------------------------------+ | CATEGORY | FEATURE | SCORE | DESC | +-----------------------+--------------------------------+-----------+--------------------------------+ | NTIA-minimum-elements | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 10.0/10.0 | 38/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v1.1 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums_sha256 | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v2.0 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_associated_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_concluded_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_declared_license | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_hash | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_build_process | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_bomlinks | 0.0/10.0 | no bom links found | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_vuln | 10.0/10.0 | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_signature | 0.0/10.0 | No signature or public key | | | | | provided! | +-----------------------+--------------------------------+-----------+--------------------------------+ | Semantic | sbom_required_fields | 10.0/10.0 | Doc Fields:true Pkg | | | | | Fields:true | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums | 0.3/10.0 | 1/38 have checksums | +-----------------------+--------------------------------+-----------+--------------------------------+ | Quality | comp_valid_licenses | 2.9/10.0 | 11/38 components with valid | | | | | license | + +--------------------------------+-----------+--------------------------------+ | | comp_with_primary_purpose | 0.0/10.0 | 0/38 components have primary | | | | | purpose specified | + +--------------------------------+-----------+--------------------------------+ | | comp_with_deprecated_licenses | 10.0/10.0 | 0/38 components have | | | | | deprecated licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_restrictive_licenses | 10.0/10.0 | 0/38 components have | | | | | restricted licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_any_vuln_lookup_id | 0.0/10.0 | 0/38 components have any | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | comp_with_multi_vuln_lookup_id | 0.0/10.0 | 0/38 components have multiple | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_creator_and_version | 10.0/10.0 | 1/1 tools have creator and | | | | | version | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_primary_component | 10.0/10.0 | primary component found | +-----------------------+--------------------------------+-----------+--------------------------------+ | Sharing | sbom_sharable | 0.0/10.0 | doc has a sharable license | | | | | free 0 :: of 1 | +-----------------------+--------------------------------+-----------+--------------------------------+ | Structural | sbom_spec | 10.0/10.0 | provided sbom is in a | | | | | supported sbom format of | | | | | spdx,cyclonedx | + +--------------------------------+-----------+--------------------------------+ | | sbom_spec_version | 10.0/10.0 | provided sbom should be in | | | | | supported spec version for | | | | | spec:SPDX-2.3 and versions: | | | | | SPDX-2.1,SPDX-2.2,SPDX-2.3 | + +--------------------------------+-----------+--------------------------------+ | | sbom_file_format | 10.0/10.0 | provided sbom should be in | | | | | supported file format for | | | | | spec: json and version: | | | | | json,yaml,rdf,tag-value | + +--------------------------------+-----------+--------------------------------+ | | sbom_parsable | 10.0/10.0 | provided sbom is parsable | +-----------------------+--------------------------------+-----------+--------------------------------+ The o/p contains: ...

Hey SBOM enthusiasts 👋 An SBOM isn’t just a list of components anymore — it has detailed information of your software, which contains hundreds of components. And that’s what gives you the transparency of each and every component: such as, who authored it, who supplies it, under what license it’s released, and even what known vulnerabilities it carries. In other words, it’s not just an inventory — it’s visibility into the very DNA of your software. ...

Hey SBOM enthusiasts 👋, These are common challenges faced by all SBOM authors. How can fields such as “NOASSERTION”, “NONE” be filled at a scale ? This issue is widespread because SBOM generation tools often have gaps and limitation. I do not blame any tool for this; it is beyond their capability, as these tools are primarily design to capture the dependencies of a software. SBOM generation depends on various factors, such as the programming language, the package manager used, the type of SBOM build( source build, build time or post build) and the information provided by the software author on their site. ...

Hey SBOM community, Love to see you back here learning something new. If you’re working with SBOMs, you probably know that generating SBOM is just a first step. What you get after generating SBOM is just a raw SBOM ? And the raw SBOM is incomplete, inaccurate sometime and most importantly not even comply with NTIA minimum element according to this research whitepaper. ...

Hey there 👋 SBOM practitioners, compliance engineers, and open-source watchers! If you’ve been working with SBOMs lately—whether you’re producing them or consuming them—you’ve probably noticed how quickly they’ve gone from “nice to have” to absolutely essential. I hope now your getting comfortable on working with SBOMs and familiar with software supply chain security terminologies. We all are well-known about the wake-up call on SBOMs, ...